What are the implications of the new guidance on DSARs?

Changes to employee data subject access requests could make it easier for businesses to deal with the process, says Melissa Chuttur

Data subject access requests (DSARs) are often the bane of employers’ lives – compiling the information sought is a time-consuming and arduous process. Unfortunately, DSARs, which give employees the right to access personal data held on them by an employer, has become an increasingly common tool for staff seeking information to strengthen potential employment tribunal claims.

While there is no escaping that DSARs are often difficult to deal with, there is a glimmer of hope in that new guidance published by the Information Commissioner’s Office (ICO) may make it easier for employers. This will ease the pain a little, but it doesn’t represent wholesale changes that mean employers can rest on their laurels.

New ‘stop the clock’ right

For many organisations, one of the main difficulties is they have just one month by default to compile all of the information their employee has requested. For a long-serving employee that is a lot of files and emails to search, review, collate and redact. The new guidance allows for employers to ‘stop the clock’ when they need to clarify what is being requested. 

This is undoubtedly a useful new tool for businesses but, crucially, the employee doesn’t have to narrow their request in response. The ICO makes it clear that stopping the clock shouldn’t be used as a blanket approach and can only be used when clarification is genuinely necessary and the employer processes a large amount of information about the individual. 

Organisations should seek clarification as early as possible because, if left too late, there will be insufficient time to comply when the clock resumes. However, if the employer doesn’t hear back within a reasonable period (the ICO says t one month would generally be considered reasonable), they can consider the DSAR closed.

Manifestly excessive requests

If a request is ’manifestly excessive’ then it can be rejected. Uncertainty has led to the ICO clarifying its position on this, by setting out factors to be considered in deciding whether a request is manifestly excessive. These include: the nature of the requested information, the context of the request, the relationship with the individual, available resources and whether a refusal to comply will cause substantial damage to the individual. 

However, it is still on the employer to show ‘manifest excessiveness’ and just because a large amount of information is requested does not of itself make it manifestly excessive. If you aren’t sure, seek specialist advice.

The other area of new guidance is around charging a fee when a request is manifestly excessive or manifestly unfounded. While there is still no guidance about how much a ‘reasonable fee’ is, there is now more guidance on what employers can take into account in deciding a fee. 

It may now become more commonplace to see companies asking for fees rather than refusing to comply with requests completely, with the same net outcome that the employee won’t get what they wanted because very few will be willing to pay. However, where an employer requires a fee to be paid, then it should explain the costs and provide a copy of its criteria for determining fees. Employers will therefore need to work out what those criteria are for them.

So what’s changed?

While the guidance does offer some clarity, and stopping the clock is especially useful for businesses, it remains the case that DSARs can be a painful and time-consuming experience. The main piece of advice I have is don’t wait until just before the deadline before pressing the panic button. Make sure you act early and have a clear and coordinated project plan – if you do that, things will be much easier.

Melissa Chuttur is an employment solicitor at Devonshires